Will Strafach, a mobile app security analyzer, has shone some light on what could scare a lot of iPhone users, especially those who use AccuWeather app. Will Strafach’s report claims that the AccuWeather application for iOS is sending location information to a data monetization firm known as Reveal.
Reveal is a company that prides itself in its ability to determine where app users live, work and shop and then use this information for monetization. “Location data also informs the home and work location of customers. Pairing this information with existing demographic targeting criteria allows retailers to target consumers with a high propensity to visit based upon two of their most relevant locations,” reads a section on Reveal’s website.
Mr Strafach’s analysis of AccuWeather showed that the app requests location access so as “to provide users localized severe weather alerts, critical updates, and faster launch time,” but once granted access, it sends the location information to revealmobile.com. He goes ahead to disclose that the iPhone he was using for the test, sent the locations data 16 times over a period of 36 hours. The collected information includes:
- Your precise GPS coordinates, including current speed and altitude.
- The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has Bluetooth turned on or off.
If one does not grant AccuWeather access to your GPS information, Strafach claims that the app will still send the Wi-Fi router name and BSSID thus providing Reveal access to less precise location information regarding the device’s whereabouts.
Following these claims, AccuWeather responded by terming Strafach’s findings as “stories to the contrary from sources not connected to the actual information.” AccuWeather went ahead to defend themselves that “other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.”
The company then goes ahead to say, “To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement.”
Reveal also released a statement, and it reads, in part, “We follow all app store guidelines, honoring all device level and app level opt-outs and permissions. If someone chooses to disable location permissions to an app using our technology, we collect no location information from that device. We do not attempt to reverse engineer a device’s location based upon other data signals like Bluetooth when location services are disabled.”
“In looking at our current SDK’s behavior, we see how that can be misconstrued. In response to that, we’re releasing a new version of our SDK which will no longer send any data points which could be used to infer location when someone opts out of location sharing,” the statement adds.
Strafach says that he has identified Frank’s Forecast Weather App from KPRC 2 as another app that is guilty of the same sin. The worrying part about all this, is that there are other companies that do what Reveal does and even if Reveal mends its ways, how many more users will be left vulnerable?